-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server.listen's bind argument does not accept [::] for ipv6 #54441
Comments
This was discovered via mastodon/mastodon#31395 |
Interestingly, |
@RedYetiDev I believe this affects all |
@nodejs/net + @nodejs/dns |
require('http').createServer((req, res) => {
res.statusCode = 200;
res.end("OK");
}).listen(4001, '[::]'); $ node repro.js
node:events:498
throw er; // Unhandled 'error' event
^
Error: getaddrinfo ENOTFOUND [::]
at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:109:26)
Emitted 'error' event on Server instance at:
at GetAddrInfoReqWrap.doListen [as callback] (node:net:2130:12)
at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:109:17) {
errno: -3008,
code: 'ENOTFOUND',
syscall: 'getaddrinfo',
hostname: '[::]'
}
Node.js v22.6.0 |
This has been reported and discussed before but
I think it should be possible to accept and ignore the brackets without introducing ambiguities. It is however definitely a change in behavior and therefore may have backwards compatibility and/or security implications for downstream users. |
Yeah, it could also be ruby/rails which is wrong in using url syntax in their BIND environment variable. i think automatically stripping brackets with a warning might be okay? |
I would not add any specific stripping to this; these kinds of things often end up as attack surfaces for vulnerability hunters. The loopback interface is |
Would it be possible to throw a better error here? e.g., an invalid argument error that explains :: vs [::] if the input argument for bind starts with [ ? |
I think that would be a very good idea. |
I'm not sure where / how I'd do a patch for something like that — it's been far too long since I've contributed to the Node.js codebase. |
Fixes: nodejs#54441 Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
Fixes: nodejs#54441 Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
Fixes: nodejs#54441 Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
Fixes: nodejs#54441 Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
My attempt to add a general regex check at a higher level is not feasible. The For this specific issue, I think it's kind of like a matter of deciding whether/how we want to enforce host validation within Edit: for reference, Line 1596 in 885692a
|
Fixes: nodejs#54441 Co-authored-by: Luigi Pinca <luigipinca@gmail.com> PR-URL: nodejs#54470 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Version
22, 20
Platform
Subsystem
net or dns
What steps will reproduce the bug?
Outputs:
(also reproducible on 22.2.0, same error)
How often does it reproduce? Is there a required condition?
Always
What is the expected behavior? Why is that the expected behavior?
Should listen on all interfaces for ipv6.
What do you see instead?
Server fails to start with an error.
Additional information
Using
bind
of::
works, so the following succeeds:This causes compatibility issues if you've configuration that has a BIND parameter that needs to be passed to Node.js and another process, such as the Ruby on Rails built-in server, which doesn't accept
bind
of::
but does accept[::]
The text was updated successfully, but these errors were encountered: